...
spec:
config:
network:
internal-encryption: "true"
...
You can use Transport Layer Security (TLS) to encrypt Knative traffic and for authentication.
TLS is the only supported method of traffic encryption for Knative Kafka. Red Hat recommends using both SASL and TLS together for Knative Kafka resources.
If you want to enable internal TLS with a Red Hat OpenShift Service Mesh integration, you must enable Service Mesh with mTLS instead of the internal encryption explained in the following procedure. See the documentation for Enabling Knative Serving metrics when using Service Mesh with mTLS. |
OpenShift Serverless supports TLS edge termination by default, so that HTTPS traffic from end users is encrypted. However, internal traffic behind the OpenShift route is forwarded to applications by using plain data. By enabling TLS for internal traffic, the traffic sent between components is encrypted, which makes this traffic more secure.
If you want to enable internal TLS with a Red Hat OpenShift Service Mesh integration, you must enable Service Mesh with mTLS instead of the internal encryption explained in the following procedure. |
Internal TLS encryption support is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/. |
You have installed the OpenShift Serverless Operator and Knative Serving.
You have installed the OpenShift (oc
) CLI.
Create a Knative service that includes the internal-encryption: "true"
field in the spec:
...
spec:
config:
network:
internal-encryption: "true"
...
Restart the activator pods in the knative-serving
namespace to load the certificates:
$ oc delete pod -n knative-serving --selector app=activator
For cluster local services, the Kourier local gateway kourier-internal
is used. If you want to use TLS traffic against the Kourier local gateway, you must configure your own server certificates in the local gateway.
You have installed the OpenShift Serverless Operator and Knative Serving.
You have administrator permissions.
You have installed the OpenShift (oc
) CLI.
Deploy server certificates in the knative-serving-ingress
namespace:
$ export san="knative"
Subject Alternative Name (SAN) validation is required so that these certificates can serve the request to |
Generate a root key and certificate:
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
-subj '/O=Example/CN=Example' \
-keyout ca.key \
-out ca.crt
Generate a server key that uses SAN validation:
$ openssl req -out tls.csr -newkey rsa:2048 -nodes -keyout tls.key \
-subj "/CN=Example/O=Example" \
-addext "subjectAltName = DNS:$san"
Create server certificates:
$ openssl x509 -req -extfile <(printf "subjectAltName=DNS:$san") \
-days 365 -in tls.csr \
-CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
Configure a secret for the Kourier local gateway:
Deploy a secret in knative-serving-ingress
namespace from the certificates created by the previous steps:
$ oc create -n knative-serving-ingress secret tls server-certs \
--key=tls.key \
--cert=tls.crt --dry-run=client -o yaml | oc apply -f -
Update the KnativeServing
custom resource (CR) spec to use the secret that was created by the Kourier gateway:
...
spec:
config:
kourier:
cluster-cert-secret: server-certs
...
The Kourier controller sets the certificate without restarting the service, so that you do not need to restart the pod.
You can access the Kourier internal service with TLS through port 443
by mounting and using the ca.crt
from the client.
After you have configured a custom domain for a Knative service, you can use a TLS certificate to secure the mapped service. To do this, you must create a Kubernetes TLS secret, and then update the DomainMapping
CR to use the TLS secret that you
have created.
If you use To work around this issue, enable mTLS by deploying |
You configured a custom domain for a Knative service and have a working DomainMapping
CR.
You have a TLS certificate from your certificate Authority provider or a self-signed certificate.
You have obtained the cert
and key
files from your certificate Authority provider, or a self-signed certificate.
Install the OpenShift CLI (oc
).
Create a Kubernetes TLS secret:
$ oc create secret tls <tls_secret_name> --cert=<path_to_certificate_file> --key=<path_to_key_file>
If you are using Red Hat OpenShift Service Mesh as the ingress for your OpenShift Serverless installation, label the Kubernetes TLS secret with the following:
“networking.internal.knative.dev/certificate-uid": “<value>”
If you are using a third-party secret provider such as cert-manager, you can configure your secret manager to label the Kubernetes TLS secret automatically. Cert-manager users can use the secret template offered to automatically generate secrets with the correct label. In this case, secret filtering is done based on the key only, but this value can carry useful information such as the certificate ID that the secret contains.
The {cert-manager-operator} is a Technology Preview feature. For more information, see the Installing the {cert-manager-operator} documentation. |
Update the DomainMapping
CR to use the TLS secret that you have created:
apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
name: <domain_name>
namespace: <namespace>
spec:
ref:
name: <service_name>
kind: Service
apiVersion: serving.knative.dev/v1
# TLS block specifies the secret to be used
tls:
secretName: <tls_secret_name>
Verify that the DomainMapping
CR status is True
, and that the URL
column of the output shows the mapped domain with the scheme https
:
$ oc get domainmapping <domain_name>
NAME URL READY REASON
example.com https://example.com True
Optional: If the service is exposed publicly, verify that it is available by running the following command:
$ curl https://<domain_name>
If the certificate is self-signed, skip verification by adding the -k
flag to the curl
command.
Transport Layer Security (TLS) is used by Apache Kafka clients and servers to encrypt traffic between Knative and Kafka, as well as for authentication. TLS is the only supported method of traffic encryption for Knative Kafka.
You have cluster administrator permissions on OpenShift Container Platform.
The OpenShift Serverless Operator, Knative Eventing, and the KnativeKafka
CR are installed on your OpenShift Container Platform cluster.
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.
You have a Kafka cluster CA certificate stored as a .pem
file.
You have a Kafka cluster client certificate and a key stored as .pem
files.
Install the OpenShift CLI (oc
).
Create the certificate files as a secret in the knative-eventing
namespace:
$ oc create secret -n knative-eventing generic <secret_name> \
--from-literal=protocol=SSL \
--from-file=ca.crt=caroot.pem \
--from-file=user.crt=certificate.pem \
--from-file=user.key=key.pem
Use the key names |
Edit the KnativeKafka
CR and add a reference to your secret in the broker
spec:
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
broker:
enabled: true
defaultConfig:
authSecretName: <secret_name>
...
Transport Layer Security (TLS) is used by Apache Kafka clients and servers to encrypt traffic between Knative and Kafka, as well as for authentication. TLS is the only supported method of traffic encryption for Knative Kafka.
You have cluster administrator permissions on OpenShift Container Platform.
The OpenShift Serverless Operator, Knative Eventing, and the KnativeKafka
CR are installed on your OpenShift Container Platform cluster.
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.
You have a Kafka cluster CA certificate stored as a .pem
file.
You have a Kafka cluster client certificate and a key stored as .pem
files.
Install the OpenShift CLI (oc
).
Create the certificate files as secrets in your chosen namespace:
$ oc create secret -n <namespace> generic <kafka_auth_secret> \
--from-file=ca.crt=caroot.pem \
--from-file=user.crt=certificate.pem \
--from-file=user.key=key.pem
Use the key names |
Start editing the KnativeKafka
custom resource:
$ oc edit knativekafka
Reference your secret and the namespace of the secret:
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
channel:
authSecretName: <kafka_auth_secret>
authSecretNamespace: <kafka_auth_secret_namespace>
bootstrapServers: <bootstrap_servers>
enabled: true
source:
enabled: true
Make sure to specify the matching port in the bootstrap server. |
For example:
apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
namespace: knative-eventing
name: knative-kafka
spec:
channel:
authSecretName: tls-user
authSecretNamespace: kafka
bootstrapServers: eventing-kafka-bootstrap.kafka.svc:9094
enabled: true
source:
enabled: true